In order to reach unknown networks, a host needs to use a gateway to forward the traffic. The gateway is some device connected to the local network and at least one external network. That device should be able to route packets, then it can forward the traffic to reach unknown destinations. Ok, we know that. What's the big news?
Is it possible to reach the Internet whether the gateway address is wrong? Yes. Maybe. I will demonstrate how, using the following scenario:
Device addresses:
asa# show ip address | begin Current
Current IP Addresses:
Interface Name IP address Subnet mask Method
Ethernet0 outside 172.16.15.1 255.255.255.0 manual
Ethernet1 inside 192.168.100.1 255.255.255.0 manual
ISP#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 172.16.15.254 YES manual up up
FastEthernet0/1 172.31.0.12 YES manual up up
While configuring the firewall policy, the administrator made a typo and set the gateway address wrongly:
asa# show route | i Gateway
Gateway of last resort is 172.16.51.254 to network 0.0.0.0
Let's try to ping some Internet destination, then check what happens:
asa# ping 72.14.253.104
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 72.14.253.104, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 124/126/127 ms
Since 72.14.253.104 is not member of the local network, the firewall needs to use the gateway. It already knows the gateway IP address, but needs the MAC address to build the ethernet header:
asa# show debug
debug arp enabled at level 1
arp-req: generating request for 172.16.51.254 at interface outside
arp-send: arp request built from 172.16.15.1 00aa.00c1.fa00 for 172.16.51.254 at 14925090
arp-in: response at outside from 172.16.51.254 cc00.0f08.0000 for 172.16.15.1 00aa.00c1.fa00
arp-set: added arp outside 172.16.51.254 cc00.0f08.0000 and updating NPs at 14925130
arp-in: resp from 172.16.51.254 for 172.16.15.1 on outside at 14925130
arp-send: sending all saved block to outside 172.16.51.254 at 14925130
ISP#show debug
ARP:
ARP packet debugging is on
*Sep 22 14:20:00.394: IP ARP: rcvd req src 172.16.15.1 00aa.00c1.fa00, dst 172.16.51.254 FastEthernet0/0
*Sep 22 14:20:00.398: IP ARP: sent rep src 172.16.51.254 cc00.0f08.0000, dst 172.16.15.1 00aa.00c1.fa00 FastEthernet0/0
The debug outputs above show the ISP router performing proxy ARP. Then the firewall gets the correct gateway MAC address, even when the IP address is wrong. Therefore it can forward traffic to the gateway, since it is a layer-2 communication, and we have connectivity to the Internet.
asa(config)# end
asa# wr mem
No comments:
Post a Comment